Client Patching at Microsoft

Among all the companies affected by security issues in Microsoft software, none may feel them more acutely than Microsoft itself. To protect its internal systems, Microsoft uses a combination of Systems Management Server (SMS), Windows Update, e-mail, and log-on scripts to distribute and install critical patches to clients on its internal corporate network and to ensure client PCs are running up-to-date software.

Although Microsoft’s IT groups face problems unique to software development companies, such as development labs running nonstandard client software, the processes and technologies these groups use to protect client PCs can be useful as a benchmark for other companies. Furthermore, understanding how Microsoft deploys SMS 2003 companywide could help other IT shops evaluate their own plans for the product.

How Microsoft Keeps Clients Secure

Two groups in Microsoft’s IT organization are responsible for keeping client PCs secure. The Corporate Security (CorpSecIT) group tracks and assesses the potential impact of vulnerabilities, software bugs that expose systems to attacks such as worms or viruses. The Global Client Software (GCS) group tests and distributes patches, code that fixes vulnerabilities. (For a review of patch-related terminology and concepts, see the sidebar “Vulnerabilities, Exploits, and Patches“.) These groups work together to gauge user compliance with patch requests across the company and address noncompliance. These two organizations are highly placed in the company-they report directly to Microsoft’s Chief Information Officer, Rick Devenuti.